500,000,000 forbidden passwords/hashes? What exactly is the real benefit of excluding those? It only matters if someone steals your list of hashed passwords AND you have hashed them in some deficient way (poor salting etc) so that the hashes may be "reversed" and used.
That a password has been used by someone else in the past, for some other reason, and that password is now on some database, does not make that password dangerous. What matters is whether your users are using the same passwords across multiple services, services out of your control. But ATM no tech out there would allow you to test for this.
If your system cannot detect someone running 500,000,000 passwords against a single account, you have far bigger problems.
As far as stopping password reuse, I recall seeing a while ago on HN a "joke" tool to do just that, by attempting to log into a bunch of services with the email / pass provided. I believe it was called Evilpass.
I personally prefer the "zxcvbn" method, which is why I wrote a Java library for my company inspired by it called nbvcxz.
Because the hackers have that same list of 500,000,000 passwords so when they steal your password hashes and want to brute force your passwords, they can start with the 500 million most common passwords instead of having trying random strings (there are 208 billion random 8 letter lowercase strings)
> What matters is whether your users are using the same passwords across multiple services, services out of your control. But ATM no tech out there would allow you to test for this.
Checking against a list of known passwords from breaches does accomplish this, albeit with a high false positive rate.
Does it? If I have used the same password at a dozen sites, and none of those sites have ever suffered a public breech, then my password isn't in any public database.[1] So you will also have a high false negative rate, something far more dangerous than false positives.
I don't think I'm alone in using passwords across multiple sites. Every here lives in that glass house.
> and none of those sites have ever suffered a public breech
Yet. That you know of.
> Every here lives in that glass house.
No, some of us use password manager software for exactly this reason - so we don't use the same password across multiple accounts and have a smaller blast radius when/if a password is compromised.
Lol, until your password manager suffers a breech. Even without a full breech of data, if your password manager's password creation algorithm is made public then your passwords are just as open as anyone else's, perhaps more so. Managers are better, but they aren't the home run people think they are.
You realize there are password managers that aren't cloud based? Also, even if cloud based, they offer TFA. Some offer automatic password rotation/update for your sites. I don't see how the creation algorithm being made public would make my data "just as open as anyone else's, perhaps more so"?
That a password has been used by someone else in the past, for some other reason, and that password is now on some database, does not make that password dangerous. What matters is whether your users are using the same passwords across multiple services, services out of your control. But ATM no tech out there would allow you to test for this.
If your system cannot detect someone running 500,000,000 passwords against a single account, you have far bigger problems.